Module Code & Module Title

CC5004NI Security in Computing

Assessment Weightage & Type

40% Seen Exam

Year and Semester

2020-21 Autumn

Student Name: Aayush Gotame

Group: N8
London Met ID: 19031234
College ID: NP01NT4A190132
Exam Date: 25th May

I confirm that I understand my coursework needs to be submitted online via Google Classroom under the
relevant module page before the deadline in order for my assignment to be accepted and marked. I am
fully aware that late submissions will be treated as non-submission and a marks of zero will be awarded.
Table of Contents

Introduction ..................................................................................................................... 1

Task 01 ........................................................................................................................... 5

Task 2 ........................................................................................................................... 29

References .................................................................................................................... 42
List of Figures

Figure 1: Topology .......................................................................................................... 8

Figure 2: TACACS+ Server ............................................................................................. 9
Figure 3: CORE_01’s running configuration .................................................................. 10
Figure 4: terminal session of END_PC_01 .................................................................... 10
Figure 5: TACACS+ server is unavailable ..................................................................... 11
Figure 6: terminal session of END_PC_01 (2) .............................................................. 11
Table of Tables

Table 1: Permutation by 10-bits .................................................................................... 17

Table 2: Permutation of key by 10-bits .......................................................................... 17
Table 3: Permutation of key by 10-bits .......................................................................... 17
Table 4: Permutation of key by 10-bits .......................................................................... 18
Table 5: Initial permutation ofplain text in 8-bit table ..................................................... 19
Table 6: Permutation of right half bits in 8-bit table ....................................................... 19
Table 7: s-1 box for right half......................................................................................... 20
Table 8: Permutation of combined output...................................................................... 21
Table 9: 8-bit cipher text ................................................................................................ 23
Abstract
Information security, ethical hacking, and the IAAA concept were all covered in this article.
In this article, I also spoke about the CIA Triad. This report includes an algorithm that
creates a row based on the query. I've already gone through the different flaws and how
to fix them. Now, let's talk about it in the report.
CC5004NI SECURITY IN COMPUTING

Introduction

Simply, security is the preservation of a reasonable degree of risk. The result of the
accumulation of threats and the consequences of weakness is hazard. Every part of our
lives requires security. It safeguards core values against the possibility of loss or some
other risk. It's difficult to define security and, over the course of human history, the term
has been defined in a variety of ways by various people at different times. For example,
some people keep guards in their homes as a deterrent (control) against thieves that
could cause harm, such as robbery (risk). The house is secured and there is a guard on
duty. The home is safe if the guard does his duties on a daily basis. If not, there might be
certain dangers and threats.

The security of information is one of the most relevant and thrilling career paths in the
world today. InfoSec is the practice of protecting information from unauthorized entry,
use, leak, interruption, alteration, perusal, analysis, recording or destruction, simply
known as InfoSec. Information security It is a common concept that can be used
irrespective of the manner in which the details are supplied (e.g. electronic, physical data,
with awareness of protection of the records, we rely on the safeguarding of our data and
the guarantee to preserve its value). (Mohammed Mahfouz Alhassan, 2017) There are
three critical components to maintain information security assets in an enterprise. They
are: confidentiality, integrity, availability.

a. Confidentiality
We want to make sure that only the right people see sensitive information when we use
it. There should be safeguards in place to prevent data from falling into the wrong hands.
The more delicate the information, the more important it is to protect their privacy. To
encrypt your personal addresses, for example, you can only need a simple password.
Online banking, on the other hand, could use still higher security requirements, such as
at least two-factor authentication.

1
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

b. Integrity
Simply put, honesty implies having faith in the authenticity of our records. We must ensure
that all data or knowledge we use is trustworthy. If we submit financial statements or a
contract, we must ensure that the person receiving the specifics has access to the same
information you do. You don't want a malicious hacker to alter your financial documents
or apply additional clauses to your contract without your permission. By converting a word
document to a pdf, for example, you will already preserve your reputation. Hashing and
checksums, file permissions, and device access restrictions are all tools for keeping our
data private. We'd also want to provide a secure backup of documents, so that if there
are indications that evidence has been tampered with or otherwise destroyed, an up-to-
date copy may be retrieved. (Brooks, 2019)

c. Availability
Availability ensures that registered users have access to the records. It ensures that
authenticated users can access the device and data whenever necessary. In addition,
availability is essential, as is confidentiality and honesty. Overall, Availability is related to
stability and device uptime, which can be affected by non-malicious problems such as
hardware degradation, unplanned program downtime, and human errors or malicious
problems such as cyber-attacks and insider threats. Users cannot access vital information
and software if the network goes suddenly offline. (Smart Eye Technology, 2020)

The IAAA is therefore very relevant in conjunction with the CIA. The IAAA stands for
identifying, authenticating, authorizing, and accountability. It is also very critical to ensure
the confidentiality of information and with this method you can monitor how much
information a person can access.

2
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

a. Identification
Identification happens when a consumer asserts or declares an identification (or any
subject). This can be done with a username, a process identification, a smart card or
anything you can uniquely recognize a subject. When deciding whether a subject should
access an object, security systems use this identity.

b. Authentication
Authentication is an identity proving process and it happens when subjects have
adequate identity proof. The password shows, for example, when a user gives the right
password, that the user holds the username.

c. Authorization
After identification and authentication of a person, authorizations may be issued
according to its established identity. It is necessary to note that without identity and
verification, you cannot get independent authorization. In other words, you can allow
access for everyone to resources or restrict access for everyone to resources if everyone
logs in with the same account. You can't distinguish between accounts if everyone uses
the same username. (blogs, 2021)

d. Accountability
The final A in AAA is the accounting. This is the mechanism that monitors the behaviour
of a user when it is connected to a system; the trail includes the sum of time, accessed
services and transferred data. For trends, infringements detection and criminal
investigation accounting statistics are used. Maintaining track and actions of users serves
many purposes. For example, tracing incidents prior to an incident involving cybersecurity
will prove very useful for forensic detection and research. (ccsinet, 2021)

Symmetric encryption algorithms are hidden key encryption algorithms. This is because
these algorithms often use a single key that is kept secret by the computers used in the
encryption and decryption procedures. This same key is used for both encryption and
decryption. Symmetric key algorithms are generally considered to be very stable. In
3
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

general, they are considered to be more robust than asymmetric key algorithms. Any
symmetric key algorithm is thought to be nearly impenetrable. Furthermore, symmetric
key algorithms are extremely fast. They are often used in situations where a large amount
of data has to be encrypted. (Qahtan M. Shallal, 2016)
The asymmetric key encryption is also referred to as public key encryption. In asymmetric
key encryption, both the encrypting and decrypting schemes use the same set of keys.
One is the name of the public key, and another is the name of the private key. If one of
the keys in the pair encrypts the code, the message can be decrypted with the other key
in the pair. The speed of key asymmetric algorithms is slower than that of key symmetric
algorithms. This is attributed in part to the fact that asymmetric key algorithms are
normally more complicated due to the use of a more sophisticated set of functions.
(Yackel, 2020)
Ethical Hacking often referred to as penetration testing is an act that enters the
infrastructure or networks to identify risks, bugs, and the losses of records, financial loss,
or any significant harm in the malicious attackers' programs. The aim of ethical hacking
is to boost network or networks security by repairing the bugs that are identified during
research. Ethical hackers can use the same methods and tools that malicious hackers
use to improve safety and protect systems from attack by malicious users with approval
by the individual approved. (GreyCampus, 2021)

4
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Task 01

a) Explain the role of access controls in an organization by thoroughly explaining

what each of the four components in it specifically does in achieving an overall
solution.
Access control is a way of ensuring that people are who they think they are and have
enough access to corporate records. Memory, disk, network port, and printer are just
some of the inputs that a computer program manages (object access). The customer
(subject to access) accesses the operating machine tools. A comparison display is
provided by access control. The item to which the authorization process to obtain access
rights is directed (which can do with object). The subject may not be allowed to access
each object, and may not be able to provide all forms of access to the object. (Tawfik
Mudarri, 2015)
In an organization, access control systems perforate authentication, authorization of
users and organizations by valuing specified login credentials that could contain
passwords, PINs, biometric scans, security tokens, etc. Authentication multifactor (MFA)
needs two or more authentication factors also forms part of the protection of the access
control systems in a layered security. Data security is the most essential part. To secure
the data systematically, there are four main components of access control. (Lutkevich,
2021)They are:
1. Identification
2. Authentication
3. Authorization
4. Accountability

1. Identification
When you log in to most websites, you must have a username. You can choose a user
name to identify you if you have an account. This username is "Identification" which you
give during login. It's just a way of asserting your identity.
In an organization, identification system should be maintained properly. In an
organization, for example, everyone is given a unique identification that verifies the

5
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

staff's identity from where they get access to the workplace system in an organization. If
the staffs lost his/her identity, then he/she won’t get access to the workplace.

2. Authentication
Then what do you enter next? Now that you have entered your username? The
password. Authentication is all like this. You authenticate or show that you are the person
you appear to be in this section. Different mechanisms can allow for authentication. Let's
understand those forms:

a. Something You Know: Here your information or what you know is authenticated. You
may use a PIN, password, ring, name pet, etc. This is today's most frequent authentication.
This is still one of the cheapest mechanisms for authentication.

b. Something You Have: Authentication occurs with ownership, i.e. something that you
possess or have. An ID, a credit card, an RSA key, a safety bracelet are all examples of
items you can possess and authenticate with. Under such situations, this badge might be
a problem whether it's robbed or lost.

c. Something You Are: In this case, the authentication is done by YOU (characteristic).
A physical characteristic is used to verify your identity. Fingerprints, speech prints, iris
scans, palm prints, and other biometrics are examples of characteristics.

d. Dual factor Authentication / Multifactor Authentication: Multi-factor authentication

refers to the use of more than one authentication factor.

For instance, any employee of an organisation can establish and use an identification (for
example, a user name) to log into the online service of the company. Therefore, the
authorisation policy of the company must make it possible for the company to use the system
only when your identity is checked.

6
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

3. Authorization

At many times, many are mistaken for authentication and authorization. It seems simple
for many to do so if I am authenticated. The system to which this subject has access
requires to assess whether it has been granted the rights and privileges required to
perform the requested activities, until it has provided its credentials and is properly
recognized. Consider your e-mail and your credentials where you are logged in. You can
write a letter, delete a mail and make any modifications you can make. Can you modify
the message server? No, so this is not permitted for you. Effective authentication however
does not guarantee permission. Effective authentication just shows that the credentials
are in the system and that the identity you claimed was proven successfully.

Employees are allowed access to the files they use to perform their work, for example, in
the organisation. They won't be able to use their files if they don't have permission.
Outsiders would not be able to access the device in this way. Only approved staff have
access to the device.

4. Accountability

Accountability is the mechanism that tracks the operation of the user when connected to
a system; the path includes how long it takes to access resources and how much data it
transfers. The means of ensuring accountability is to identify the subject individually and
to report the conduct of the subject.

Imagine, for example, that a user requires some rights to function in an organization. What
if he/she chooses to abuse these privileges? If the audit records are open, you can
investigate and hold the person responsible on the basis of those documents, who
misused these rights. (Pahwa, 2018)

7
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

b. Configure the following network topology inside CISCO packet tracer.

Figure 1: Topology

8
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

i) Configure CORE_01 to identify and authenticate any TELNET sessions from

END_PC_01 via the TACACS+ protocol and server (TACACS+ Server).

Figure 2: TACACS+ Server

9
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

ii) Use screenshots of the CORE_01’s running configuration, TACACS+ Server’s

AAA configuration and the terminal session of END_PC_01, to verify that the
identification and authentication is indeed happening via the server and not the
router.

Figure 3: CORE_01’s running configuration

Figure 4: terminal session of END_PC_01

10
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

iii) Configure CORE_01 with a backup username and password and show using
screenshots of the CORE_01’s running configuration and the terminal session
of END_PC_01 that if the TACACS+ server is unavailable, the process of
identification and authentication carry out via the CORE_01’s local database
itself.

Figure 5: TACACS+ server is unavailable

Figure 6: terminal session of END_PC_01 (2)

11
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Question 2

a) Using your own combination of a plain text and a symmetric key value, explain
how the Caesar Cipher uses its simple substitution technique for transforming
plain text into cipher texts (encryption) and cipher texts back to the respective plain
texts (decryption).

The Caesar cipher is a basic, old way of encrypting plain text messages into cipher text
that keeps them safe from prying eyes. With the arrival of powerful machines, however,
the complexity of such techniques must be increased. The Caesar cipher is based on
transposition, which entails moving a certain number of letters from each letter of the
plaintext message. Caesar ciphers are simple to make, but they are also simple to break.
The encryption is done using a Caesar Cipher key string, which is mostly just the
alphabet's 26 letters. To break ciphers, we can use a technique called Frequency
Analysis. We have an integer value for the number of alphabets we have to go forward
with this kind of encryption. This is also known as a move. Similarly, any letter of the
alphabet has an integer value, with A=0, B=1, C=2, and so on down to Z=25. A formula
can be used to define the encryption of a letter using a shift n.
Formula for encryption
C=(P+K) mod 26

Formula for decryption

P=(C-K) mod 26

For the time being, we'll encrypt the term "surround" We'll use an encryption form that
needs five shifts forward instead of three in the Caesar cipher. The encryption procedure
will be as follows:

S=> C=(P+K) mod 26= (18+5) mod 26=X

U=> C=(P+K) mod 26= (20+5) mod 26=Z
R=> C=(P+K) mod 26= (17+5) mod 26=W
R=> C=(P+K) mod 26= (17+5) mod 26=W
12
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

O=> C=(P+K) mod 26= (14+5) mod 26=U

U=> C=(P+K) mod 26= (20+5) mod 26=Z
N=> C=(P+K) mod 26= (13+5) mod 26=S
D=> C=(P+K) mod 26= (3+5) mod 26=I

So, the word ‘surround’ encrypted into ‘XZWWUZSI’

Now to decrypt this word,

X=>P=(C-K) mod 26 = (23-5) mod 26=S
Z=>P=(C-K) mod 26 = (25-5) mod 26=U
W=>P=(C-K) mod 26 = (22-5) mod 26=R
W=>P=(C-K) mod 26 = (22-5) mod 26=R
U=>P=(C-K) mod 26 = (20-5) mod 26=O
Z=>P=(C-K) mod 26 = (25-5) mod 26=U
S=>P=(C-K) mod 26 = (18-5) mod 26=N
I=>P=(C-K) mod 26 = (8-5) mod 26=D

This decryption back to ‘surround’

13
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

b) Through a working example of a Row Transposition Cipher (you are free to use
any plain text and symmetric key values), explain how it does not maintain the
concept of unconditional security and computational security.

A transposition cipher that rearranges the terms during the encryption process is known
as a row transposition cipher. The Plaintext is written in a rectangle row by row, and the
message is read off column by column, in this cipher. The columns' order is permuted,
and this becomes the algorithm's key.
For example, if we are encrypted a plain text “EXCUSE ME WHILE I KISS THE SKY” with
the key (4521367).
The numbers that are the key are arranged in the numeric value of the alphabetical order
by using key.
Encryption
Key:
4 5 2 1 3 6 7
E X C U S E M
E W H I L E I
K I S S T H E
S K Y W X Y Z

The terms are now grouped in order of the keys' number. As a result, the encrypted text
will be “UISW CHSY SLTX EEKS XWIK EEHY MIEZ”

Now,
Decryption
Key:
4 5 2 1 3 6 7
E X C U S E M
E W H I L E I
K I S S T H E
S K Y W X Y Z

14
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Now that we know that our terms have been rearranged in the 4521367 order according
to the main, we know that UISW was the first combination of words and CHSY was the
second combination of words. SLIX was the third word combination. EEKS is the fourth
word combination. The fifth word combination was XWIK. The sixth word combination
was EEHY, and the seventh word combination was MIEZ. As a result, we rearrange it in
that order, resulting in the table seen above. We get the plain text back when these
alphabets are rearranged in the row to row order again. “EXCUSE ME WHILE I KISS THE
SKY,” in other words We should delete WXYZ because we know it isn't part of the cipher
text and was added to complete the rectangle. “EXCUSEMEWHILEIKISSTHESKY” is
now our plain text

Because the number of words in plain text and encrypted text are identical, and only the
alphabets are jumbled, it can be quickly decrypted, this does not uphold the principle of
unconditional protection. As a result, the principle of unconditional protection states that
"even though an attacker's capabilities are next to unlimited, they will still be unable to
break the cypher text or coded data due to the uncertainty of the text to the attacker."
However, if the intruder manages to rearrange the terms, he will most likely be effective
in determining the right structure, allowing him to decode the word.

15
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

c. By demonstrating the encryption stage of the SDES algorithm, explain the

following idea that, a cipher text generated using the SDES algorithm is superior in
terms of security, when we compare that cipher text to the output (cipher texts) of
simple substitution and transposition ciphers such as the Caesar Cipher and the
Row Transposition cipher. You can use your own combination of a plain text and a
key value for the demonstration of the SDES encryption process.

“"Simplified EDS is an educational rather than a stable encryption algorithm, created by

Professor Edward Schaper of Santa Clara University. The configuration and properties
are similar to DES and have much fewer parameters. The Data Encryption Standard
(DES) is a symmetric key system that encrypts a 64-bit text in its corresponding 64-bit
text cypher with a 56-bit key. In the form of 8 bit plain/cypher text and a 10-bit key, the
encryption procedure can be reduced to the size (SDES).

2.2.1 Demonstration of the SDES algorithm:

The 5 functions SDES algorithm is: the original permutation (IP) function, a permutation
function (Fk), and a main replacement function, the switching function (SW) for half the
data generated, and reverse initial permutation operation (IP-1). Let's get our plain text
4A, the 8-bit, binary plain text of "01001010."

16
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

First Step: Creation of 10 bit key and permuting it into two 5-bit keys

We take a key of 10 bits: “1100100100” which needs to be permuted in repeated

sequences and algorithm to obtain 5-bit keys.
i. First the key bits are permuted to get “35274101986” as show in the 10-bit table
below. Then add the key into the table to get an output of “1000001100”

Input 1 2 3 4 5 6 7 8 9 10
Output 3 5 2 7 4 10 1 9 8 6
Table 1: Permutation by 10-bits

Input 1 1 0 0 1 0 0 1 0 01
Output 0 1 1 0 0 0 1 0 1 0
Table 2: Permutation of key by 10-bits

i. Halve the output to get Left = “0 1 1 0 0” and Right = “0 1 0 1 0” and shift the bits
by one round, to get “11000 10100” as output. Permute the entire bit after removing the
first two bits in an 8bit table.

Input 1 2 3 4 5 6 7 8 9 10
Output 1 1 0 0 0 1 0 1 0 0
Input 6 3 7 4 8 5 10 9
Output 1 0 0 0 1 0 0 0
Table 3: Permutation of key by 10-bits

The output obtained is the first key K1 = “1 0 0 0 1 0 0 0”

ii. For the second key, we take the rounded 5 bit digits obtained which are 11000
and 10100. We two round shift these keys to obtain 0 0 0 1 1 and 1 0 0 1 0 respectively.

17
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

iii. The double shifted key is permuted in a 10-bit table to obtain the second key
K2 = 1 0 0 1 0 1 0 1

Input 1 2 3 4 5 6 7 8 9 10
Output 0 0 0 1 1 1 0 0 1 0
Input 6 3 7 4 8 5 10 9
Output 1 0 0 1 0 1 0 1
Table 4: Permutation of key by 10-bits

Thus, the two keys obtained are K1 and K2, 1 0 0 0 1 0 0 0 and 1 0 0 1 0 1 0 1 respectively.

18
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Second Step: 1st function based plain text (initial) permutation

The plain text is permuted in an 8-bit table to get the output 1 0 1 0 1 0 0 1.

Bits as 1 2 3 4 5 6 7 8
number
Bits to be 0 1 0 0 1 0 1 0
permuted
Permute as 2 6 3 1 4 8 5 7
sequence
Permuted 1 0 0 0 0 0 1 1
bits
Table 5: Initial permutation ofplain text in 8-bit table

Third Step: Swapping of Halved bits

The output, 10000011 is halved into Left = “1000” and Right = “0011”. We take the right
half and expand it into 8 bits using an expanding and permutating table to get “0 1 0 0 0
0 0 1”.

Right half 1 0 0 0
bits
Number 1 2 3 4 5 6 7 8

Expand bits 4 1 2 3 2 3 4 1

Output of 0 1 0 0 0 0 0 1
bits
Table 6: Permutation of right half bits in 8-bit table

We take the output and use XOR function on the first key obtained K1, the Algebraic
expression of XOR leads to the truth table of, 0+0=0, 0+1=1, 1+0=1 and 1+1=0. We get,
“0 1 0 0 0 0 0 1” ⊕ ” 1 0 0 0 1 0 0 0” = “1 1 0 0 1 0 0 1”

19
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Further divide the output into two halves and input them into S-0 and S-1 boxes.

Row and 0 1 2 3
Column
0 01 01 11 10

1 11 10 01 00

2 00 10 01 11

3 11 01 11 10

Fir the left half and the output of the right of in S-1 box is,
Left half: 1 1 0 0
Row: 2nd row
Col: 2nd column
The answer is 01

Row and 0 1 2 3
Column
0 00 01 10 11

1 10 00 01 11

2 11 00 01 00

3 10 01 00 11

Table 7: s-1 box for right half

For the right half and the output of the right of in S-1 box is,

20
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Right half: 1 0 0 1
Row: = 3rd row
Col = 0th column
The answer is 10

Now, a combination of Left half: {01} and right half: {10} results in 0 1 1 0 and are put in
P-4 (permutation 4) table.

Numbers 1 2 3 4

Input 0 1 1 0

Output should be 2 4 3 1

Out-Put 1 0 1 0

Table 8: Permutation of combined output

Now the output is: 1 0 1 0, Now an XOR output is calculated with left 4 bits of Initial Per-
mutation which are 1 0 0 0.
1010⊕1000=0110

Now get the right half of the initial permutation is combined that with this output.
Right half of IP (initial permutation): 0 0 1 1
0 1 1 0 – 0 0 1 1= 0 1 1 0 0 0 1 1
Now the output in 8 bits is 0 1 1 0 0 0 1 1 broken into Left: {0 1 1 0} right: {0 0 1 1} and
swapped to result in Left half: { 0 0 1 1 } right half: {0 1 1 0}

21
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Fourth Step: 2nd function-based text permutation

The process is repeated from the initial Permutation using second key K 2.
After conducting initial permutation on 0 0 1 1 0 1 1 0 with the IP-8 table output will be:
01101001
Which is broken into two halves
Left {0 1 1 0} right {1 0 0 1}

The right 4bits are processed in EP table, and get the result of 8 bits, 1 1 0 0 0 0 1 1
This output is XOR functioned with K2.
11000011⊕10010101

Out-put of EP: 1 1 0 0 0 0 1 1
output: 0 1 0 1 0 1 1 0

Again, the output of XOR bits are halved:

Left: {0 1 0 1} right: {0 1 1 0}

Rows and columns need to be defined so the values are calculated.

For the Left Half: 0 1 0 1

Row = 1nd row
Col = 2nd column
For row one and column zero the value is 01.

For the Right half: 0 1 1 0

Row = 0
Col = 3
22
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

For row zero and column three the value is 11.

Both halves are combined together to get 0 1 1 1

The obtained 4 bits, are processed in the permutation table P-4 to get the result of
1 1 1 0.

XOR is calculated with left 4 bits of Initial permutation and the output.
1110⊕ 0110 =1000

The right half of the initial permutation is combined with output to get 1 0 0 0 1 0 0 1

Once again, the output is broken into two halves, Left: {1 0 0 0} right: {1 0 0 1}.

Finally, both halves are swapped obtain, 1 0 0 1 1 0 0 0

Fifth Step: Inverse of initial permutation

Now, the value of 1 0 0 1 1 0 0 0 is put into IP-1 Table

Numbers 1 2 3 4 5 6 7 8

Input 1 0 0 1 1 0 0 0

Out-put to 4 1 3 5 7 2 8 6
be
Out-Put 1 1 0 1 0 0 0 0

Table 9: 8-bit cipher text

The Output is an 8-bit cipher text, 1 1 0 1 0 0 0 0

23
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Finally, the plain text: "01001010” has been Encrypted into cipher text which is
“11010000”

24
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Question 03:
Deliver comprehensive notes on the following two topics by including their main
ideas, strategies, implements and techniques:

a. The Foot printing process of gathering information

Footprinting is one of the techniques for collecting data and information on the target
device. The technology of footprinting often refers to phases of network pre-attacks.
Network information including Network ID, domain name along with internal domain
names, access control systems, IP addresses, protocols, VPNs, permissions, user and
community details, routing tables, device banders, news and press releases, remote-
system forms, web server links and others are typically collected in the Footprinting
process. If an attacker obtains confidential information, they can use it to commit fraud,
create false profiles, and so on. By collecting more common types of information about
the target's desires and behaviours, the intruder will enter a variety of other social
networking sites and communities, resulting in still more Footprinting. (Shruti Shreya,
2020)

Some of the methods of foot printing are:

➢ Port Scanning
Port scanners are used to determine live internet hosts and to figure out which
TCP and UDP ports are available on each host and which operating system is
mounted on each system. Port scanners are often used in the identification of live
hosts.

➢ Google Hacking
Google Hacking is used to detect a security flaw on the internet through a search
engine one the internet. Web vulnerabilities are typically present in two types:
software and misconfiguration vulnerabilities. While some advanced intruders
attack a particular device and attempt to locate vulnerabilities to enable entry, the
overwhelming majority of the intruders start using a single program vulnerability, a
25
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

typical user setup, and are merely attempting to find or search systems with the
vulnerability. (Tech Target Contributor, 2021)

➢ Ping Sweep
The attacker will run a Ping Sweep if they want to know which devices on your
network are actually live. Ping sends echo requests to the target device with ICMP
packets, which are waiting for an echo response. If the device cannot be accessed,
a "time off message" will be displayed; but, if the device is online and is not limited
to answering it, it will give an echo response back. (Knowledge hut, 2021)

➢ Who is lookup
Who is Lookup is a method for finding data including DNS, domain names, servers
with names, IP addresses and others. Who is utility interrogates the internet
domain and returns the ownership of the domain, title, location, telephone number,
and other information about a specific domain name for Internet domain name
management.

➢ DNS footprinting
DNS is a machine naming scheme that transforms readable human domain names
to computer IPs, and vice versa. To satisfy its demands, DNS uses UDP port 53.
(Grey Campus, 2021)

26
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

b. The Scanning process for substantiating information.

Scanning is another important step, and it relates to the technical system and the
procedures used for identifying hosts, ports and different network resources. Network
scanning is one of the components of the information collection and recovery process
used to construct a situation for the target enterprise by an assailant (target organization:
means the group of people or organization which falls in the prey of the Hacker). We can
see some objectives, types and scanning methodologies below:
Objectives of Network Scanning
• To find live hosts, IP address and access victims' ports.
• To find services running on a host computer.
• To find and address live hosts vulnerabilities
•
Scanning Methodologies
• Live applications are tested by hackers and pen-testers.
• Check open ports
• Scanning beyond IDS

Types of scanning

• Port Scanning
It's a standard approach for penetration testing and hacking that involves
searching for open doors that enable hackers to gain access to a company's
infrastructure. Hackers must learn about live hosts, firewall installations, operating
systems, different systems related to the device, and the topology of a targeted
enterprise in order to perform this scan.

27
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

• TCP/IP Handshake
We must consider the 3-way TCP/IP handshaking mechanism before switching to
scanning techniques. Handshaking means an automatic procedure, in machine
words, which uses certain protocols to set the complex parameters on a
communication channel. The two protocols used for handshaking between the
client and the server are TCP (Transmission Control protocol) and IP (Internet
Protocol).

• Vulnerability Scanning
It is the automatic constructive detection of a system's flaws inside a network to
decide if the system can be compromised or endangered. The machine should be
wired to the internet in this situation. (w3schools, 2021)

28
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Task 2

i. New developments in the domain of vulnerability assessment systems, tools, and

methodologies.

Problem Domain
The problem domain is software which solves problems for some users where bigger
programs, or enterprises, may rely on the software, and where software problems may
cause an indirect loss. Construction of software of high quality allows implementation to
be split into stages, in order to analyse and check the performance of each process, to
remove bugs. This will include more documents, standards, procedures, etc., to divided
the issue into phases and to early recognise defects.

Methodologies
The methodology used for evaluations relies essentially on the size of the study (e.g.,
statistical/empirical, numerical). On a broad scale, for example, the use of methodologies
focused primarily on statistical evidence along with analytical models derived from facts
and/or expertise in surveys (for example area, space etc.) or expert judgments is essential
for vulnerability assessed. When adequate observation data is available and instead for
local scale analyses, detailed or simpler mechanical models are chosen. We should take
these measures to make it expense to reduce the risks.

1. Create a Risk Management Team

The business owners think they are cyber soldiers, is just another major mistake. Any
ongoing activity within the company cannot be continued so that you can stay alert to
risks by building organizational ties.

2. Catalog Information Assets:

You can gather money details in an interdepartmental team. Additional organizations can
use SaaS providers to maintain sensitivity to risk information. One of the great risks of a
third-party supplier violation

29
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

3. Assess Risks
The information's similarity varies. No data will certainly be sent to you which is as
important as the other one. Moreover, not every provider takes data protection seriously.
You have to investigate the possible threats faced by vendors and records to the business
in this regard.

4. Set Security Controls

Once you have found a way to tackle a threat, the next step is to establish security
measures. Health monitoring is the key component of risk assessment practices.

Solution
Any of the top challenges facing companies with cyber risk management and very few
options for resolving them are presented here.

1. Predictive Analytics
IT employees should consider, what the threat is, when it will happen and where it will
come from to fight cyber-attacks effectively. Machine-driven analytic software can gather
extensive data on known cyber-attacks and apply the results to existing security
protocols.

2. Back Up Critical Data

A data backup plan is essential for companies for Dos attacks and malware threats.
Access to critical job data differs from quick online retrieval of systems and low downtime
resources and catastrophic server failures.

30
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

3. Cyber Insurance

In many markets, hacking is an acknowledged enterprise. In order to offset future financial

risks, many companies respond to buy insurance policies. The cyber insurance industry
is expected to hit 20 billion dollars by 2025. Once a generalized solution has been added,
stand-alone cyber insurance coverage has become popular to draw on many new
insurers.

4. Bug Bounties
Repeating and time-consuming identification of computer code glitches may be. Many
businesses simply cannot monitor their processes rigorously to avoid any defects or
shortcomings that hackers can use. In recent years, however, companies have agreed to
outsource the problem through bug bounty programs

Conclusion
In this executive measure, efforts were made to study and address current physical
vulnerability principles and methodologies for assessing various natural hazards in a
given jurisdiction. In order to fulfil the main objectives of ENGER project, which is to build
an integrated operational framework aimed at localizing and spatializing vulnerability to
different environments in the environment, common reasons and main differences
between different practices, were to be emphasized as well as possible gaps to be filled
in each field (e.g. poorly developing methods). (Evelyne Foerster, 2017)

31
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

ii. New developments in the domain of malware detection and their prevention.

Malware, which is short for malicious malware, is any software used to interrupt device
activity, collect personal information, or access privacy. Malware has a malicious purpose
and acts against a computer user's requirements that does not contain functionality that
causes unintended damage because of any weaknesses. The term barware is often used
for real malware and harmful applications both accidentally.

Problem Domain

Malware performs several of the internet cyber-attacks, including cyber warfare,

cybercrime, fraud and scams. For instance, Trojans can open a government network
backdoor access so that national attackers can steal sensitive information. Ransomware
can encrypt and then make it unavailable for the user and then decrypt the data after the
user has paid an amount of money. Many Distributed Denial-of-Service (DDoS) attacks
as well as spam and phishing operations are carried out by Botnet malware. In order to
better understand cyber threats and develop the necessary countermeasures, we must
review strategies behind the production and implementation of malware.

Methodology

Mobile methodology for malware identification can be divided into static, interactive and
hybrid techniques.

• Techniques and tools for detecting and analysing the malware

This report presents the first systematic survey of malware detection methods and
software. A large number of surveys in the field of machine learning malware
identification, android and a few surveys were conducted on static and dynamic an
analysis. Neither job, however, deals with technology and tools.

32
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

• State of the art Survey

This paper shows that the majority of surveys available in this field either are out of date
or are not a systematic view of the issue since they usually concentrate on a certain part
of the norm.

• List of Comprehensive tools

This paper presents a new overview of the broad list of malwares, memory forensics,
packet analytics, scanners, reverse engineering, debugging, and site analysis tools
available. This report provides an overview. It also differentiates the methods for malware
detection depending on a particular field and methodology.

• Guide for malware analysts

Finally, the contribution requested in this paper would allow researchers and malware
experts to obtain the right method for their field-specific analysis.

Solution
There are a few protections to prevent ransomware or API infections in your device that
will not only brick your telephone, but can root access and stolen your personal
information with disruptive infection rates.

• Safety and Live-Environment Requirements

Clearly, security of a malware analysis environment is critical because we cannot permit
malware to inflict unintentional harm to the Internet (for example, by mounting a service
denial attack from the analytic environment). Unfortunately, the most secure but also the
most extreme, since they are pure static methods, i.e., code analysis without execution
of a software.

33
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

• Virtualised Network Environments

Given the criteria of security and the living world, virtualization technology builds much of
the malware analysis environments. Virtualization allows operating systems to control
whole node networks (eg server, switch) seamlessly and effectively, often inside a single
physical computer.

• Avoid public Wi-Fi hotspots

Kaspersky Laboratories states que losing authentication in public Internet Wireless

hotspots enables hackers to quickly access unbacked computers on their respective
networks. Then hackers can easily access your information between their device and a
contact point from their location. Dangers can also use unsecured Wi-Fi hotspots to feed
mobile malware or connected tablets.

Conclusion
Secure was now primarily developed for mobile defence. The aim of our business is to
secure and protect intelligent appliances and computers. Our mobile app testing,
computer monitoring, forensics and security information capabilities provide us with a
unique range of mobile security information. We have also published a report to talk to
the media about certain information. We also help businesses manage and secure
electronic devices and applications connected daily.
While legal applications purchased without intentionally disappointing functions on official
app markets may have high-risk questions about safety. (Talukder, 2020)

34
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

c) New developments in the domain of the detection and mitigation of web

application vulnerabilities.

Web application have bugs that may contribute to severe violations of protection, such as
confidentiality. The precise steps of attacks and the advantages of current defensive
systems must be understood to defend themselves from violations.

Problem Domain
Classic fail to filter untrustworthy input leads to injection flaws. It can be done as unfiltered
data are transferred to the SQL server (SQL injection), the browser, the LDAP (LDAP
injection) server, or somewhere else. The concern here is that the intruder will send orders
to the organizations, which result in data loss and the deprivation of browsers for clients.
Anything received from untrusted sources from the application must be screened, ideally
by a whitelist. You can almost never use a blacklist, since it's difficult and typically easy
to circumvent. Typical cases of failing black lists include antivirus security devices. It
doesn't fit to match patterns.

Methodology
A decision on the software development approach is an essential step that must be made
before any commitment begins. Based on project priorities, specifications, complexity,
timeframe, team members involved, project management methods used, etc, there are a
number of software development methodologies. The most common approaches to web
application creation are covered in this article.

• Water Fall
Waterfall is the most traditional approach for app creation. Thanks to its plan-driven
methodology, it has actually been one of the most common methods for web
development projects over many decades. Waterfall lacks the versatility to
complete any step before it moves to the next stage. Once any changes or faults
are found, Waterfall will need a complete restart during the project.

35
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

• Agile
Agile is another commonly used technique for mobile app project creation. For
tasks without definite conditions and brief periods, the Agile Approach is also used.
Agile methodology also encourages rapid improvements in the scale and course
of the project depending on industry changes.

• Scrum
Scrum shares Agile's underlying concept of collaborating with production teams on
a regular basis. Scrum uses a web development approach where the squad is
crucial. This approach involves self-management and self-organization, such that
fewer projects with competent and cohesive team members are well suited.

• Extreme Programming
Extreme Programming (XP) is yet another agile methodology aimed at producing
high quality web applications and reactivity to evolving consumer needs. Like
several other Agile methods, XP concentrates on routine updates in brief periods,
allowing changes if necessary.

Solution
web applications are protected from several attacks by websites and internet
providers. These tools protect organizations from any flaw in the code of an
application. In order to maintain their company, numerous providers rely on web
application protection solutions. This involves organizations creating database
management software, SaaS software developers and more.
Some of the best web application security solution are:

36
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

• Rapid7
Rapid7 is a pioneer in risk control and cloud management for companies
of all sizes that pave the way for improved protection and privacy. Web
protection technologies from Rapid7 provide visibility software to identify
possible threats and threats, vulnerability evaluations and automatic
security measures.

• Datadog
A key element in safeguarding the company against attacks is to ensure
that your applications are fully visible and functional. Datadog is a solution
that offers companies the visibility that they need. With the user-free gui,
teams are able to immediately and across the broader network to identify
security risks.

• Netacea
Netacea is committed to real end-to-end security. The use of high-performance
software to defend your business more easily from hacks, ransomware and other
risks via DDoS. The WAF is the subject of the Netacea web app safety approach
(firewall). until signing up for Netacea programs, companies will have a
personalized firewall tutorial and other functions in motion.

• Mimecast
Mimecast offers the leaders of today a complete set of security options for modern
companies. From email protection problems to app faults, the entire cloud-based
infrastructure protects everything. You can shield the software from viruses and
malware and automatically detect threats.

37
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

Conclusion
This work provides an in-depth look at emerging web application vulnerability
assessment methods. We stressed that there are several unresolved issues that
need to be addressed. I heard about the web application, its mitigations,
vulnerabilities, and its solution as a result of this study Input authentication flaws,
as well as poor session handling and techniques for detecting web bugs. There
have been several works completed to address those concerns. (International
Journal of Advanced Computer Science and Applications, 2020)

38
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

iv) New developments in the domain of the security controls for protecting
organizational assets from the internal and external threats.

A security control is a "safeguard or countermeasure to protect the secrecy of an IT asset

or device and to satisfy a collection of specified security criteria" means a security check.
Security safeguards include management, organizational and technological activities
aimed at deterring, delaying or detecting, denying or mitigating cyber-attacks and other
information technology risks. Data defence includes the use of a wide range of security
checks that address data security, physical safety and security of the employees.

Problem Domain
While handling the assets, there might occur some problems. Properties are protected
from lawsuits by creditors seeking legitimately to take over the assets through a system
of procedures, policies and rules aimed at protecting the assets of entities and
companies.

Methodology
Asset protection preparation is focused on an examination of a variety of variables that
decide the level of security needed.
• Identity of the Debtor
If the debtor is a person, it is important to recognize any transmutation
arrangement between the person and their spouse (accords that dictate whether
assets are owned jointly between partners or separate). The risk of a case for each
partner must also be considered, so that the property rights of properties can be
transferred before the cases are brought against the "safer" person.

• Identity of the Creditor

For asset protection planning, the identification and form of creditor are relevant.
If the lender is a strong entity, such as the government, they will have greater
control over seizure of assets compared with private lenders. Persons who have
an attacking creditor's responsibility can have to have better asset management
plans and vice versa.
39
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

• Nature of the claims

Determines the intensity and type of asset security required by some forms of
claims and limits contained in loan agreements. For example, exchangeable
claims can be used in cases of failsafety that require a comparatively small level
of asset security. These claims (claims that can be written off or "injuncted" by the
court) are designed to defend personal properties.

• Nature of asset
Many kinds of collateral are not covered by charges by creditors. For example,
home owners are protected from compulsory home sales for mortgage relief by
the household exception. Thus, the kinds of collateral used in creditor statements
and the risk of each asset that is taken in case of a dispute are necessary to take
into account.

Solutions
• Using Corporations, Limited Partnerships (LPs), and Limited Liability Companies
(LLCs)
Corporate shareholders, limited associations and limited liability (LLCs)
organizations are usually government-protected by limited liability legislation,
under which private owners are not kept responsible for the debt of an agency or
company. The use of the companies mentioned above to borrow loans covers the
personal properties of the individual from confiscation in the event of a lawsuit.

• Using Asset Protection Trusts (APTs)

A Trust for Asset Défense (APT) is a sort of trust bank that maintains properties
that are protected from the creditors by the discretion of the settler (that is, the
person invested in the trust). The most powerful way of protecting property is also
used. The usage of APT, though, has certain inconveniences. One of them is that
after establishment of a trust, it cannot be repealed or reversed, because the use
of the power of lawful possession must be abandoned to secure property. The APT

40
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

agreements often block 'spendthrift' provisions, unless under such conditions, from
selling or using any credit replacement asset.

• Transferring Property Rights

An entity can pass to his partner, relative or a trustworthy friend the legal right to
an asset to protect the person from creditors' claims. This allows the claimant,
without fear of losing it to the creditors, to own their property. However, in dispute
with family members or partners (e.g. divorce), this often poses an immense
danger when the property is lawfully owned by them.

Conclusion
When evaluating the necessary safety checks in the following sections for the
possible implementation, it is crucial to remember the timing. Identify the controls
to be enforced immediately, the controls to be implemented in the near future, and
those which, because of resources shortages or other issues, need to be delayed
up to a later date. The ISMS Manager of the plant and all competent decision-
makers must approve all proposed safety controls.
The duty must be delegated to the facility for the performance of individual security
checks. A project schedule should be established to follow up on its status with
those selected security controls which cannot be carried out indefinitely until they
are enforced in the future. (FFIEC, 2017)

41
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

References

blogs, 2021. Identification, Authentication and Authorization. [Online]

Available at: https://blogs.getcertifiedgetahead.com/identification-authentication-
authorization/
[Accessed 25 5 2021].
Brooks, R., 2019. The CIA Triad and Real world Examples. [Online]
Available at: https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-
application/
[Accessed 25 5 2021].
ccsinet, 2021. Authentication, Authorization, Accountability and Indentification. [Online]
Available at: https://www.ccsinet.com/blog/aaa-identity-management/
[Accessed 25 5 2021].
Evelyne Foerster, Y. K. M. D., 2017. Methodologies to assess vulnerability of structural
systems. [Online]
Available at:
https://www.researchgate.net/publication/339301928_Tools_and_Techniques_for_Malw
are_Detection_and_Analysis
[Accessed 26 5 2021].
FFIEC, 2017. FFIEC_CAT_May_2017.pdf. [Online]
Available at: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf
[Accessed 25 5 2021].
Grey Campus, 2021. Footprinting Methodology. [Online]
Available at: https://www.greycampus.com/opencampus/ethical-hacking/footprinting-
methodology
[Accessed 25 5 2021].
GreyCampus, 2021. What is Ethical Hacking. [Online]
Available at: https://www.greycampus.com/opencampus/ethical-hacking/what-is-ethical-
hacking
[Accessed 25 5 2021].

42
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

International Journal of Advanced Computer Science and Applications, 2020. A Survey

on Detection and Prevention of Web. [Online]
Available at: https://thesai.org/Downloads/Volume11No6/Paper_65-
A_Survey_on_Detection_and_Prevention.pdf
[Accessed 26 5 2021].
Knowledge hut, 2021. What is footprinting in ethical hacking. [Online]
Available at: https://www.knowledgehut.com/blog/security/footprinting-ethical-hacking
[Accessed 25 5 2021].
Lutkevich, B., 2021. What is access control. [Online]
Available at: https://searchsecurity.techtarget.com/definition/access-control
[Accessed 25 5 2021].
Mohammed Mahfouz Alhassan, A. A.-Q., 2017. Information Security in an organization.
[Online]
Available at:
https://www.researchgate.net/publication/314086143_Information_Security_in_an_Orga
nization
[Accessed 25 5 2021].
Pahwa, M., 2018. Identification, Authentication, Authorization, and Accountability.
[Online]
Available at: https://www.mayurpahwa.com/2018/06/identification-authentication.html
[Accessed 25 5 2021].
Qahtan M. Shallal, M. U. B., 2016. A review of symetric key encryption techniques in
cryptography. [Online]
Available at:
https://www.researchgate.net/publication/333118027_A_Review_on_Symmetric_Key_E
ncryption_Techniques_in_Cryptography
[Accessed 25 5 2021].
Shruti Shreya, N. S. K., 2020. Footprinting: Techniques, tools and countermeasures for
footprinting. [Online]
Available at:
https://www.researchgate.net/publication/343236950_Footprinting_Techniques_Tools_a
43
Aayush Gotame
CC5004NI SECURITY IN COMPUTING

nd_Countermeasures_for_Footprinting
[Accessed 25 5 2021].
Smart Eye Technology, 2020. Confidentiality, Integrity and Availability. [Online]
Available at: https://smarteyetechnology.com/confidentiality-integrity-availability-basics-
of-information-security/
[Accessed 25 5 2021].
Stallings, W., 2010. Cryptography and Network Security, Fifth Edition. In: APPENDIIX G.
s.l.:Prentice Hall, pp. G1 - G12.
Talukder, S., 2020. tools and Techniques for Malware Detection and Analysis. [Online]
Available at:
https://www.researchgate.net/publication/339301928_Tools_and_Techniques_for_Malw
are_Detection_and_Analysis
[Accessed 26 5 2021].
Tawfik Mudarri, S. A. A.-R., 2015. Security Fundamentals: Access Control Models.
[Online]
Available at:
https://www.researchgate.net/publication/282219117_SECURITY_FUNDAMENTALS_A
CCESS_CONTROL_MODELS
[Accessed 25 5 2021].
Tech Target Contributor, 2021. What is google hacking. [Online]
Available at: https://searchsecurity.techtarget.com/definition/Google-hacking
[Accessed 25 5 2021].
w3schools, 2021. Scanning Techniques. [Online]
Available at: https://www.w3schools.in/ethical-hacking/scanning-techniques/
[Accessed 25 5 2021].
Yackel, R., 2020. When to use Symmetric vs Asymmetric Encryption. [Online]
Available at: https://blog.keyfactor.com/symmetric-vs-asymmetric-encryption
[Accessed 25 5 2021].

44
Aayush Gotame